American voter data left unsecured on Internet

Data on 198 million potential American voters was left exposed on the Internet without a password by a contractor for the US Republican National Committee, a researcher has found.

The exposed databases were part of a 25TB bunch of files in an Amazon Cloud account belonging to the data analytics firm Deep Root Analysis.

The account was found by Upguard employee Chris Vickery who regularly discovers such caches online. But he told The Hill that this discovery was much bigger than any he has seen before.

"In terms of the disk space used, this is the biggest exposure I've found. In terms of the scope and depth, this is the biggest one I've found," Vickery said. The files had a 198 million-entry database containing names, and addresses plus an "RNC ID" that could be used, in conjunction with other exposed files, to research individuals.

As an example, The Hill cited a a 50GB file of "Post Elect 2016" information, last updated in mid-January. It had modelled data about a voter's likely positions on 46 different issues ranging from "how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of 'America First' and how likely they are to be concerned with auto manufacturing as an issue, among others".

In its analysis of the discovery, Upguard wrote: "The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting and Data Trust.

"In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as 'modelled' voter ethnicities and religions.

Upguard said Vickery had found the database on 12 June, "while searching for misconfigured data sources on behalf of the Cyber Risk Team, a research unit of UpGuard devoted to finding, securing, and raising public awareness of such exposures".

It said that payments by the RNC to two of the companies totalled more than US$5 million. "Between January 2015 and November 2016, the RNC paid TargetPoint US$4.2 million for data services, and gave Causeway around US$500,000 in that time, according to Federal Election Commission reports. Deep Root, acting as Needle Drop, was paid US$983,000 by the RNC."

Upguard said the exposure raised serious questions about the level of privacy and security that Americans could expect for their most privileged information.

"It also comes at a time when the integrity of the US electoral process has been tested by a series of cyber assaults against state voter databases, sparking concern that cyber risk could increasingly pose a threat to our most important democratic and governmental institutions."

Commenting on the incident, Forcepoint chief executive Matt Moynahan said: "The accidental data leakage of 200 million American voter records is the latest example of an unfortunate but sobering reality – more often than not, data breaches are caused not by malicious hackers but by inadvertent errors made by employees.

"Regardless of whether organisations are securing data using on-premises or cloud-based technology, like in the case of Deep Root Analytics, organisations need to balance protecting privacy and understanding how their employees interact with critical business data and intellectual property.

"They should look at people and protect against those behaviours that could result in the loss of valuable data or IP. Governments and corporations would make sustainable progress against these sorts of breaches only with a blend of human-centric security technologies, policies, cultural changes and intelligent systems that can observe cyber behaviour and decipher intent."

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.